ZITADEL race condition in lockout policy execution
CVE-2023-47111

7.3HIGH

Key Information:

Vendor
Zitadel
Status
Zitadel
Vendor
CVE Published:
8 November 2023

Summary

The ZITADEL Identity Infrastructure allows administrators to set a Lockout Policy that limits the number of failed password attempts. However, due to a flaw in its implementation, an attacker can execute multiple simultaneous password checks, effectively circumventing the intended limits of the Lockout Policy. This vulnerability could lead to unauthorized access attempts, increasing the risk of successful attacks against user accounts. The issue has been addressed in versions 2.40.5 and 2.38.3, which include patches to mitigate this risk.

Affected Version(s)

zitadel >= 2.39.0, < 2.40.5 < 2.39.0, 2.40.5

zitadel < 2.38.3 < 2.38.3

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/commit/22e2d5599918864...
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v2.38.3
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.